[PATCH 2/2] remote: protect against integer overflow

Eric Blake <eblake@xxxxxxxxxx> · Fri, 24 Jun 2011 12:40:02 -0600

Integer overflow and remote code are never a nice mix.

This has existed since commit 56cd414.

* src/libvirt.c (virDomainGetVcpus): Reject overflow up front.
* src/remote/remote_driver.c (remoteDomainGetVcpus): Avoid overflow
on sending rpc.
* daemon/remote.c (remoteDispatchDomainGetVcpus): Avoid overflow on
receiving rpc.
---

Gnulib makes checking for multiply overflow easy.

 daemon/remote.c            |    4 +++-
 src/libvirt.c              |    5 +++--
 src/remote/remote_driver.c |    4 +++-
 3 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/daemon/remote.c b/daemon/remote.c
index 48624d6..8d04fc7 100644
--- a/daemon/remote.c
+++ b/daemon/remote.c
@@ -61,6 +61,7 @@
 #include "network.h"
 #include "libvirt/libvirt-qemu.h"
 #include "command.h"
+#include "intprops.h"

 #define VIR_FROM_THIS VIR_FROM_REMOTE

@@ -1074,7 +1075,8 @@ remoteDispatchDomainGetVcpus(struct qemud_server *server ATTRIBUTE_UNUSED,
         goto cleanup;
     }

-    if (args->maxinfo * args->maplen > REMOTE_CPUMAPS_MAX) {
+    if (INT_MULTIPLY_OVERFLOW(args->maxinfo, args->maplen) ||
+        args->maxinfo * args->maplen > REMOTE_CPUMAPS_MAX) {
         virNetError(VIR_ERR_INTERNAL_ERROR, "%s", _("maxinfo * maplen > REMOTE_CPUMAPS_MAX"));
         goto cleanup;
     }
diff --git a/src/libvirt.c b/src/libvirt.c
index 76e16ad..9fe9a69 100644
--- a/src/libvirt.c
+++ b/src/libvirt.c
@@ -39,6 +39,7 @@
 #include "util.h"
 #include "memory.h"
 #include "configmake.h"
+#include "intprops.h"

 #ifndef WITH_DRIVER_MODULES
 # ifdef WITH_TEST
@@ -7153,8 +7154,8 @@ virDomainGetVcpus(virDomainPtr domain, virVcpuInfoPtr info, int maxinfo,

     /* Ensure that domainGetVcpus (aka remoteDomainGetVcpus) does not
        try to memcpy anything into a NULL pointer.  */
-    if ((cpumaps == NULL && maplen != 0)
-        || (cpumaps && maplen <= 0)) {
+    if (!cpumaps ? maplen != 0
+        : (maplen <= 0 || INT_MULTIPLY_OVERFLOW(maxinfo, maplen))) {
         virLibDomainError(VIR_ERR_INVALID_ARG, __FUNCTION__);
         goto error;
     }
diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c
index a7ac90a..f2edf43 100644
--- a/src/remote/remote_driver.c
+++ b/src/remote/remote_driver.c
@@ -83,6 +83,7 @@
 #include "ignore-value.h"
 #include "files.h"
 #include "command.h"
+#include "intprops.h"

 #define VIR_FROM_THIS VIR_FROM_REMOTE

@@ -2161,7 +2162,8 @@ remoteDomainGetVcpus (virDomainPtr domain,
                     maxinfo, REMOTE_VCPUINFO_MAX);
         goto done;
     }
-    if (maxinfo * maplen > REMOTE_CPUMAPS_MAX) {
+    if (INT_MULTIPLY_OVERFLOW(maxinfo, maplen) ||
+        maxinfo * maplen > REMOTE_CPUMAPS_MAX) {
         remoteError(VIR_ERR_RPC,
                     _("vCPU map buffer length exceeds maximum: %d > %d"),
                     maxinfo * maplen, REMOTE_CPUMAPS_MAX);
-- 
1.7.4.4

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list





